edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure dynamic analysis: Using HTTP Exposing Network Data to Interception and Manipulation #25

Closed edwindwalker closed 9 months ago

edwindwalker commented 2 years ago

Finding Description

HTTP requests were detected during dynamic analysis. Every HTTP request can potentially reveal information about the behaviors and identities of the user. A remote attacker with access to the same local or upstream network as the user could use network monitoring software such as Wireshark to observe and modify the data.

Steps to Reproduce

Use a packet interception and analysis tool, such as Wireshark, on your testing network to identify unencrypted network traffic that may contain sensitive information.

NowSecure's test for this finding involves capturing HTTP traffic between an app running on a physical device and servers. This test results in a list of servers that the app connected to over insecure HTTP communications.

Business Impact

The app is not encrypting sensitive information being sent over the internet. A malicious actor could remotely observe and/or modify the sensitive data coming to and from servers, potentially affecting many users at once. Depending on the type of data being transmitted insecurely, this vulnerability could lead to exposure of sensitive personal data and/or intellectual property.

Remediation Resources

Recommended Fix

Android:

Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, and/or other sensitive data is going to be communicated to a backend API or web service.

Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.

For applications that must include compromised Certificate Authorities and experience complex phishing attacks against their users, additional security controls may be necessary to provide network protections. One such approach is to use certificate pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate pinning ensures that the client checks the server's certificate against a known copy of that certificate. Bundling the server's certificate inside the application and ensuring any SSL/TLS requests first validate that the server's certificate exactly matches the bundle's certificate is a method of accomplishing certificate pinning.

For some apps, certificate pinning may be impossible to perform. If the app allows users to enter in their own domain names to connect to services, then no opportunity exists to embed a certificate. However, if the app is intended to connect to a known server or set of servers, all of the information is available to guarantee that the client is indeed talking directly to the server and without a man in the middle eavesdropping. Please note that certificate pinning may not be suitable for organizations who can not control the server side certificate used in TLS validation or are not able to perform the certificate rotations in a timely manner to accommodate certificate expiration requirements.

Details and code snippets can be found at https://developer.android.com/training/articles/security-ssl.

Certificate transparency is an alternative to certificate pinning that can also be used to accomplish similar security protections without the same operational work. Certificate transparency is used to audit that a certificate has been issued legitimately by a certificate authority. This method prevents scenarios where a certificate was issued to a malicious actor of a domain the attacker does not own. Additional information can be found at https://github.com/babylonhealth/certificate-transparency-android.

iOS:

Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service.

For applications that must include compromised Certificate Authorities and experience complex phishing attacks against their users, additional security controls may be necessary to provide network protections. One such approach is to use certificate pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate pinning ensures that the client checks the server's certificate against a known copy of that certificate. Bundling the server's certificate inside the application and ensuring any SSL/TLS requests first validate that the server's certificate exactly matches the bundle's certificate is a method of accomplishing certificate pinning.

For some apps, certificate pinning may be impossible to perform. If the app allows users to enter in their own domain names to connect to services, then no opportunity exists to embed a certificate. However, if the app is intended to connect to a known server or set of servers, all of the information is available to guarantee that the client is indeed talking directly to the server and without a man in the middle eavesdropping. Please note that certificate pinning may not be suitable for organizations who can not control the server side certificate used in TLS validation or are not able to perform the certificate rotations in a timely manner to accommodate certificate expiration requirements.

Apple provides mechanisms to enforce secure connections in their developer docs which can be implemented through libraries such as AFNetworking https://github.com/AFNetworking/AFNetworking.

Certificate transparency is an alternative to certificate pinning that can also be used to accomplish similar security protections without the same operational work. Certificate transparency is used to audit that a certificate has been issued legitimately by a certificate authority. This method prevents scenarios where a certificate was issued to a malicious actor of a domain the attacker does not own. This can be enabled through the use of the NSAppTransportSecurity exception, NSRequiresCertificateTransparency: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsexceptiondomains

Code Samples

Bad Code Sample (.java)

URL url = new URL("http://www.appserver.com/");
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();
try {
// Do stuff
} finally {
urlConnection.disconnect();
}

Good Android Network Security Configuration Sample (.xml)

<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">appserver.com</domain>
</domain-config>
</network-security-config>

Good Code Sample (.java)

URL url = new URL("https://www.appserver.com/");
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();
try {
// Do stuff
} finally {
urlConnection.disconnect();
}

Additional Guidance

Risk and Regulatory Information

Severity: medium CVSS: 6.5

Application

See more detail in the NowSecure Report